oxd-pyton, pre-registered client

By: Benedikt Schmeitz
user11 Feb 2018 at 3:36 p.m. CST

6 Responses

Problem: can not connect oxd-python with pre registered client.
I pre-registred an OpenID connect client from the gluu GUI.
Using the exposed Inum as client_id within the oxd-python configuration, as mentioned [here](https://github.com/GluuFederation/oxd-python/blob/master/sample.cfg), results in :
1. (dynamicRegistrationEnabled: false)
internal server error
2. (dynamicRegistrationEnabled: true)
registers new dynamic client. -> can not access scopes with "Allow for dynamic registration: false"
Questions:
A: How to retrieve the client_id from gluu GUI?
B: How to approve a dynamicly registred clien?

Gluu 3.1.2
Debian 9.0

closed

Answers

By Michael Schwartz
staff11 Feb 2018 at 8:16 p.m. CST

A few suggestions:
1. view the client in oxTrust (openid / clients menu), and make sure you explicitly release the desired scopes.
2. You don't need to register a client unless you are using oxd-web. If you are running oxd on localhost, it uses sockets, and you won't need to present an OAuth client=grant access token to call the oxd APIs.
3. The python demo app has moved to a new project [oxd-python-demo-app](https://github.com/GluuFederation/oxd-python-demo-app)

By Jajati Badu
Account Admin12 Feb 2018 at 2:17 a.m. CST

Hi Benedikt,
I can see you are using Gluu serve 3.1.2 and oxd server 3.1.2 is not yet released. If you are using oxd-server v3.1.1, We need to check if oxd-server 3.1.1 is compatible with Gluu server 3.1.2
Also could you please share the oxd-server log file to investigate the issue ?
Location /var/log/oxd-server.log
Kind Regards,
Jajati

By Jajati Badu
Account Admin12 Feb 2018 at 8:21 a.m. CST

Hi Benedikt,
This issue is not reproducible for us. On more note Your client application url should be https and a host name like https://client.example.com
(Allow for dynamic registration: false)
1- Created OpenId Client in Gluu server with 3 scopes
2- Entered ClienId , Client secret and 5 scopes in oxd-python configuration file
4- When I registered the client, the registration in oxd-server was success. But Gluu server scopes were same. Just 3 scopes like before.
5- Tried to update the scopes using Update site method. But that threw error because OP's (OpenID Provider) Dynamic registration was disabled.
In Summary, If your OP's Dynamic Registration is enabled, and when you try to register a client using oxd-python/oxd-server . The process will create one entry in oxd server and one entry (Create Client) in Gluu server.
If OP's Dynamic Registration is disabled , You need to manually enter ClientId, Client secret in configuration file. And Register client will create one entry in oxd-server only. There will be no communication to OP.
Could you please provide us the log file and steps to reproduce the issue you are having ?
Kind Regards,
Jajati

By Benedikt Schmeitz
user12 Feb 2018 at 12:12 p.m. CST

From your last answer I noticed my mistake.
configuring oxd-python needs:
- client_id = Inum from Gluu GUI
- client_secret = secret from Gluu GUI
- authorization_redirect_uri = one of the configured authorization_redirect_uris from the Gluu GUI
- [optinal] scopes = ...
I missed the entry client_secret. This results in a new entry in oxd server and one entry in Gluu server. What I expected was only a new entry in oxd server + error code missing/invalid client_secret.
This might be intended for security reasons? But kind of unexpected for me. I would love a pre_registered_client = true flag + verbose error log for this situation.
Maybe I just missed the documentation for oxd-python and pre-registred clients. Does it exist?